Bug 1795964

Summary: Temporarily add custom KubeVirt type to container-selinux
Product: Red Hat Enterprise Linux 8 Reporter: Fabian Deutsch <fdeutsch>
Component: container-selinuxAssignee: Jindrich Novy <jnovy>
Status: CLOSED NOTABUG QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: danken, ipinto, jlejosne, jnovy, lvrabec, tsweeney, vromanso, ycui, ypu
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: container-selinux-2.135.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1795975 (view as bug list) Environment:
Last Closed: 2020-06-09 08:49:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1795975    

Description Fabian Deutsch 2020-01-29 10:43:57 UTC 
Description of problem:
Today KubeVirt (part of CNV) is using custom selinux types/rules to confine the container which is running the user workload (virt-launcher).
On regular hosts this policy (.cil) is injected dynamically at runtime into the host kernel.
But this is not possible on RHCOS - there a policy needs to be part of the kernel from the beginning.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use custom policy on pod on RHCOS
2.
3.

Actual results:
Fails to find policy and fails to launch the containre

Expected results:
Can launch the container

Additional info:
This is a temporary solution.
On the long run we are aiming to move kubevirt to reuse the svirt types which are already present (at least in the rhel policy).
Once it is completed, this temporary policy can be dropped again.
Comment 3 Daniel Walsh 2020-01-29 11:36:51 UTC 
Do you have the policy?
Comment 4 Lukas Vrabec 2020-01-29 11:52:19 UTC 
Working on it.
Comment 7 Tom Sweeney 2020-06-03 22:30:51 UTC 
Assigning to Jindrich for any packaging or BZ needs.  I think this was rolled up in prior releases.
Comment 9 Jed Lejosne 2020-06-04 19:31:08 UTC 
The kubevirt virt-launcher cil policy seems to install just fine on recent versions of OCP/RHCOS.

I just tested this, here are some (redacted) logs:

$ openshift-install version | head -1
openshift-install 4.4.6
$ openshift-install --dir ocp create cluster
[...]
$ export KUBECONFIG=`pwd`/ocp/auth/kubeconfig
$ oc get nodes  # Pick a worker
$ oc debug node/<worker>
sh-4.2# chroot /host
sh-4.4# cat /etc/redhat-release 
Red Hat Enterprise Linux CoreOS release 4.4
sh-4.4# runcon -t container_t /bin/echo test
test
sh-4.4# runcon -t virt_launcher.process /bin/echo test
runcon: invalid context: 'system_u:system_r:virt_launcher.process:s0': Invalid argument
sh-4.4# exit
sh-4.2# exit
$ export KUBEVIRT_VERSION=v0.29.2
$ kubectl create -f https://github.com/kubevirt/kubevirt/releases/download/${KUBEVIRT_VERSION}/kubevirt-operator.yaml
$ kubectl create -f https://github.com/kubevirt/kubevirt/releases/download/${KUBEVIRT_VERSION}/kubevirt-cr.yaml
$ sleep 2m
$ oc debug node/<worker>
sh-4.2# chroot /host
sh-4.4# runcon -t virt_launcher.process /bin/echo test
test
Comment 12 Dan Kenigsberg 2020-06-07 05:27:44 UTC 
(In reply to Jed Lejosne from comment #9)
> The kubevirt virt-launcher cil policy seems to install just fine on recent
> versions of OCP/RHCOS.

Jed, what are you saying? That we no longer need virt_launcher*_t intriduced here? Please be explicit regarding an action we should take.
Comment 13 Jed Lejosne 2020-06-08 15:17:27 UTC 
(In reply to Dan Kenigsberg from comment #12)
> (In reply to Jed Lejosne from comment #9)
> > The kubevirt virt-launcher cil policy seems to install just fine on recent
> > versions of OCP/RHCOS.
> 
> Jed, what are you saying? That we no longer need virt_launcher*_t intriduced
> here? Please be explicit regarding an action we should take.

Yes, I am implying that virt_launcher*_t doesn't need to be added to the main policy anymore, since .cil modules seem to install just fine on RHCOS.
However, it is possible I missed something here, which is why I pasted some shell logs to make sure we're all talking about the same thing.
If I'm correct, then no action is needed on this ticket anymore.
Comment 14 Dan Kenigsberg 2020-06-08 16:55:21 UTC 
Don't we need to revert the change introduced here? (for cleanliness sake)
Comment 15 Vladik Romanovsky 2020-06-08 20:45:11 UTC 
(In reply to Dan Kenigsberg from comment #14)
> Don't we need to revert the change introduced here? (for cleanliness sake)

I wonder which changes have been introduced here?
https://github.com/containers/container-selinux/pull/87 has never been merged. Dan Walsh, just pointed out that there is a container_kvm_t policy, however, it is not a good fit for us.
Hence, I don't see which changes do we need to revert.
Does anyone know of the existence of virt_launcher*_t policy in conatiner-selinux?
Comment 16 Jed Lejosne 2020-06-08 20:57:26 UTC 
I checked RHCOS 4.4, and its SELinux policy doesn't have a virt_launcher_t type.
From a toolbox shell:
```
# sesearch -s virt_launcher_t -A
virt_launcher_t is not a valid type attribute
```
Comment 17 Vladik Romanovsky 2020-06-08 21:00:42 UTC 
(In reply to Jed Lejosne from comment #16)
> I checked RHCOS 4.4, and its SELinux policy doesn't have a virt_launcher_t
> type.
> From a toolbox shell:
> ```
> # sesearch -s virt_launcher_t -A
> virt_launcher_t is not a valid type attribute
> ```

Thank you, Jed.
I think we are safe and there is nothing to revert.
Comment 18 Fabian Deutsch 2020-06-09 08:05:51 UTC 
I agree. No code has been merged. This bug is falsely part of an errata.

Jindrich, can you please drop this bug from the errata and close it?
Comment 20 Jindrich Novy 2020-06-09 08:49:14 UTC 
Closing based on comment #18.